To the finance departments (bureaus) and internet information offices of all provinces, autonomous regions, and municipalities directly under the Central Government, the finance bureaus and internet information offices of the Xinjiang Production and Construction Corps, and the Shenzhen Municipal Finance Bureau:
In order to implement the relevant requirements of the "Opinions of the General Office of the State Council on Further Standardizing the Order of Financial Auditing and Promoting the Healthy Development of the Certified Public Accountant Industry" (Guo Ban Fa [2021] No. 30), strengthen the data security management of accounting firms, and standardize the data processing activities of accounting firms, we have formulated the "Interim Measures for Data Security Management of Accounting Firms", which are hereby issued and are requested to be followed.
Attachment: Interim Measures for Data Security Management of Accounting Firms
Ministry of Finance, Cyberspace Administration of China
April 15, 2024
Accounting firms
Interim Measures for Data Security Management
Chapter I: General Provisions
Article 1: These Measures are drafted on the basis of the "Law of the People's Republic of China on Certified Public Accountants", the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", the "Personal Information Protection Law of the People's Republic of China", and other laws and regulations, so as to ensure the data security of accounting firms and regulate the data handling activities of accounting firms.
Article 2: These Measures shall apply to accounting firms lawfully established within the territory of the People's Republic of China to carry out the following data processing activities related to audit operations:
(A) for listed companies and unlisted state-owned financial institutions, central enterprises, etc. to provide audit services;
(2) Providing audit services to critical information infrastructure operators or network platform operators with more than 1,000,000 users;
(3) Providing audit services for the overseas listing of domestic enterprises.
Where the audit business engaged in by an accounting firm does not fall within the scope of the provisions of the preceding paragraph, but involves important data or core data, these Measures shall apply.
Article 3 The data referred to in these measures refers to any record of information obtained externally and generated internally by electronic or other means in the course of auditing business by accounting firms.
Data security refers to taking necessary measures to ensure that data is in a state of effective protection and lawful use, as well as having the ability to ensure a state of continuous security.
Article 4: Accounting firms bear the primary responsibility for data security of the firm, and perform data security protection obligations.
Article 5: The Ministry of Finance is responsible for efforts on data security oversight of accounting firms nationwide, and provincial-level (including Shenzhen and Xinjiang Production and Construction Corps) finance departments are responsible for efforts on data security oversight of accounting firms within that administrative region.
Article 6: The Institute of Certified Public Accountants shall strengthen industry self-discipline, guide accounting firms to strengthen data security protections, and raise the level of data security management.
Chapter II: Data Management
Article 7: Accounting firms shall perform their data security management responsibilities in the following areas:
(1) Establish and complete security management systems for the entire data life cycle, and improve mechanisms for data operations and control;
(2) Complete organizational structures for data security management, clarifying mechanisms for rights and responsibilities for data security management;
(3) Implement categorical and hierarchical management of data appropriate to operational characteristics;
(4) Establish data rights management policies, set up data access and handling permissions in accordance with the principle of least authorization, periodically review and retain data access records in accordance with relevant provisions;
(5) Organize and carry out data security education and training;
(6) Other matters provided for by laws and regulations.
Article 8: The chief partner (chief accountant) of an accounting firm is the person in charge of data security of the firm.
Article 9 accounting firms shall, in accordance with the provisions of laws and administrative regulations and the classification and grading standards of the industry data in which the audited entity is located, determine the core data, important data and general data.
The accounting firm and the audited entity shall clarify the nature, content and scope of the core data and important data in the audit materials through business agreements, confirmation letters, etc.
Article 10: Accounting firms' storage and processing of core data and important data shall comply with relevant state provisions.
Information systems that store core data should implement the requirements of four-level network security protection. Information systems that store important data should implement the requirements of level 3 or above network security protection.
Where data is a matter of state secrets after aggregation or association, it shall be handled in accordance with the laws and administrative regulations on the preservation of state secrets.
Article 11 Accounting firms shall set up and enable access logging functions for information systems, databases, network equipment, network security equipment, etc. related to audit business.
Where core data is involved, the relevant logs are retained for at least three years. Where important data is involved, the relevant logs are retained for at least one year; Relevant logs involving the provision, entrustment, or joint processing of important data to others shall be retained for a period of not less than three years.
Article 12: Accounting firms shall clarify the operating procedures for data transmission. Encryption technology shall be used during the transmission of core data and important data to protect the security of transmission.
13th audit working papers should be stored in accordance with laws, administrative regulations and relevant provisions of the State. Relevant encryption equipment shall be set up in China and the domestic team shall be responsible for operation and maintenance, and the key shall be stored in China.
Article 14 Accounting firms shall establish a data backup system. Accounting firms should ensure that they can still access, retrieve and use the relevant audit working papers when the use of the audit-related application system is suspended or restricted due to external technical reasons.
Article 15 An accounting firm shall not include in its business agreement or similar contract any similar clause that the accounting firm shall provide domestic project information and data to overseas regulatory authorities.
Article 16: Accounting firms shall employ technical means such as network isolation, user authentication, access control, data encryption, virus prevention, and illegal intrusion detection to promptly identify, block, and trace the source of relevant network attacks and illegal access, and ensure data security.
Article 17: Accounting firms shall establish data security emergency response mechanisms, and strengthen monitoring of data security risks. Where risks such as data leaks or security vulnerabilities are discovered, remedial and disposition measures shall be immediately employed. Where a major data security incident occurs, causing core data or important data to be leaked, lost, stolen, or tampered with, it shall be promptly reported to the relevant regulatory departments.
Article 18: Where accounting firms provide overseas with personal information and important data collected or produced in the course of their domestic operations, they shall comply with the relevant provisions on the management of national data exports.
Article 19: Accounting firms shall establish a step-by-step review mechanism for matters concerning the export of audit working papers, and employ necessary measures to strictly implement data security management and control responsibilities. For audit working papers that need to be exported, the examination and approval procedures shall be handled in accordance with the relevant provisions of the state.
Chapter III: Network Management
Article 20: Accounting firms shall establish and complete network security management and governance structures, establish and complete internal network security management systems, establish internal decision-making, management, enforcement, and oversight mechanisms, ensure that network security management capabilities are commensurate with the professional services provided, and provide a secure network environment for data security management efforts.
Article 21: Accounting firms shall, in accordance with the scale and complexity of their business activities, allocate network management technicians with corresponding professional skills to ensure a reasonable investment of network resources and funds.
Article 22: Accounting firms shall do a good job in information system security management and technical protection, take corresponding measures such as physical or logical isolation of the network according to the level of data stored and processed, and set up strict access control policies to prevent unauthorized access.
Article 23 Accounting firms shall have the authority to independently manage network equipment and network security equipment in their audit business systems, uniformly set up and maintain system administrator accounts and staff accounts, and shall not set up super accounts that are not restricted or monitored, and shall not hand over administrator accounts to third-party operation and maintenance institutions for management and use.
Where accounting firms that join an international network use the information system of the international network in which they are located, they shall take necessary measures to ensure that they comply with national data security laws, administrative regulations, and the provisions of these Measures, so as to ensure the security of their data.
Chapter IV: Supervision and Inspection
Article 24: The Ministry of Finance and provincial-level finance departments (hereinafter collectively referred to as finance departments at the provincial level or above) are to strengthen the sharing of information on data security regulation by accounting firms with the internet information departments, public security organs, and state security organs at the same level.
Article 25: Finance departments at the provincial level or above, and internet information departments at the provincial level or above, are to carry out oversight and inspections of accounting firms' data security. Public security organs and state security organs are to undertake data security oversight duties for accounting firms within the scope of their duties in accordance with law.
Article 26 Accounting firms that undertake audit business in important areas such as finance, energy, telecommunications, transportation, science and technology, science, and industry for national defense and meet the scope of Article 2 of these Measures, the financial departments at or above the provincial level shall focus on the supervision and inspection work, and continue to strengthen daily supervision.
Article 27: Accounting firms shall cooperate with lawfully carried out data security oversight and inspections, and must not refuse, delay, or obstruct them.
Article 28: Where accounting firms carry out data handling activities that impact or might impact national security, they shall conduct a security review in accordance with the national security review mechanism.
Article 29: Where, in the course of performing data security oversight duties, relevant departments discover that there are relatively large security risks in accounting firms' data handling activities, they may employ regulatory measures such as giving the accounting firm and its responsible persons a talk and ordering corrections to be made within a set period of time, to eliminate the hidden dangers.
Article 30: Where accounting firms and relevant personnel violate the provisions of these Measures, they shall be dealt with and punished in accordance with the provisions of laws and administrative regulations such as the "Law of the People's Republic of China on Certified Public Accountants", the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", and the "Personal Information Protection Law of the People's Republic of China"; where the duties and authority of other departments are involved, they shall be transferred to the relevant competent departments for handling in accordance with law; where a crime is constituted, it shall be transferred to the judicial organs for investigation of criminal responsibility in accordance with law.
Article 31: Where in the course of performing accounting firms' data security oversight duties, the staff of relevant departments derelict their duties, abuse their authority, or twist the law for personal gain, legal responsibility is to be pursued in accordance with law.
Chapter V: Supplementary Provisions
Article 32: The provisions of the "Law of the People's Republic of China on Guarding State Secrets" and other laws and administrative regulations apply to accounting firms and related personnel carrying out data handling activities involving state secrets.
Article 33: Accounting firms and relevant personnel carrying out other data handling activities involving personal information shall comply with the provisions of relevant laws and administrative regulations.
Article 34 Accounting firms may refer to these measures to strengthen the management of non-audit business data.
Article 35: The Ministry of Finance and the State Internet Information Office are responsible for the interpretation of these Measures.
Article 36: These Measures take effect on October 1, 2024.
![The relevant responsible persons of the Ministry of Finance and the Cyberspace Administration of China answered reporters' questions on the issuance of the "Interim Measures for Data Security Management of Accounting Firms".[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)